We are going to proxy EAP to another site with all freeradius (we are using 2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows:
Our site only accept non @domain format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius).
But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using @domain to pass the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication,
That's fine.
and then I try to remove the suffix from inner EAP user name or change the outer user name in client EAP supplicant
And why would you want to do a thing like that? Just leave it alone.
(in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel?
Why do you care what is stored on their database? It's none of your concern. You just proxy unaltered usernames to them.
And how can remove the suffix in inner EAP tunnel while authentication?
By using suffix module in freeradius (enabled by default). You just configure aaa.net as a local realm in proxy.conf.
Or all account have suffix in another site DB.
That is also possible. Ivan Kalik Kalik Informatika ISP